This driver allows you to associate vServer guests with a ''virtual'' network device rather than the host's real network interface, which functions to hide packet counters from vServer guests. There is no other use for this step, so feel free to skip it if you are not worried about sharing packet counters. Packet counts ''may'' be useful to an attacker with control of a vServer guest who wishes to perform side-channel attacks during cryptanalysis, or network traffic analysis against your host or other vServer guests. If you did not understand the last sentence and your installation is not particularly security sensitive, then the chances that you will encounter a skilled attacker are slim to none and you should feel free to skip this section.

+

This driver allows you to associate vServer guests with a ''virtual'' network device rather than the host's real network interface, which functions to hide packet counters from vServer guests. '''There is no other use for this step''', so feel free to skip it if you are not worried about sharing packet counters. (Packet counts ''may'' be useful to an attacker with control of a vServer guest who wishes to perform side-channel attacks during cryptanalysis, or network traffic analysis against your host or other vServer guests. If you did not understand the last sentence and your installation is not particularly security sensitive, then the chances that you will encounter a skilled attacker and this will actually matter are slim to none and you should feel free to skip this section.)

====Process====

====Process====

−

First you need to load the dummy interface driver

+

First you need to load the dummy interface driver (requires CONFIG_DUMMY=m in your kernel configuration)

# modprobe dummy

# modprobe dummy

Line 39:

Line 39:

address 192.168.1.250

address 192.168.1.250

netmask 255.255.255.0

netmask 255.255.255.0

+

+

====Optional Extra Step====

+

It is possible to facilitate further segregation (such that even dummy packet counters are never shared between guests). To do so, use:

+

# modprobe dummy numdummies=<number-of-devices-required>

+

... and associate each vServer with a unique dummy device.

===Guests===

===Guests===

−

Set up each guest vserver. If you skipped the above step, replace dummy0 with the name of your host's primary network interface, for example eth0.

+

Set up each guest vserver. If you skipped the host configuration above, you will need to replace dummy0 with the name of your host's primary network interface, for example eth0.

cd /etc/vservers/$VSERVER/interfaces/0

cd /etc/vservers/$VSERVER/interfaces/0

Line 56:

Line 61:

For internal packets going outside, pretend each packet came from our external IP (put it in one line without backslash):

For internal packets going outside, pretend each packet came from our external IP (put it in one line without backslash):

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \

−

-d ! 192.168.1.0/24 -j SNAT --to-source $EXTIP

+

! -d 192.168.1.0/24 -j SNAT --to-source $EXTIP

−

For each service that runs on a vserver, map it to an external port. Vserver local address <code>$VHOST</code> and port <code>$INTPORT</code> you select one external port <code>$EXTPORT</code> and run the following (put it in one line without backslash):

+

For each service that runs on a vserver, map it to an external port. (For each ?) Vserver local address <code>$VHOST</code> and port <code>$INTPORT</code>, you select one external port <code>$EXTPORT</code> and run the following (put it in one line without backslash):

This driver allows you to associate vServer guests with a virtual network device rather than the host's real network interface, which functions to hide packet counters from vServer guests. There is no other use for this step, so feel free to skip it if you are not worried about sharing packet counters. (Packet counts may be useful to an attacker with control of a vServer guest who wishes to perform side-channel attacks during cryptanalysis, or network traffic analysis against your host or other vServer guests. If you did not understand the last sentence and your installation is not particularly security sensitive, then the chances that you will encounter a skilled attacker and this will actually matter are slim to none and you should feel free to skip this section.)

For each service that runs on a vserver, map it to an external port. (For each ?) Vserver local address $VHOST and port $INTPORT, you select one external port $EXTPORT and run the following (put it in one line without backslash):